In the case observed by Lancope the cybercriminals deployed code to compromise a vulnerable server and then commanded the server to download mailer scripts used to deploy the phishing emails. Figure 1 shows the script used to compromise the server. The mailer script was v0.5 of perlb0t, a.k.a. w0rmb0t or "LinuxNet perlbot" (see Figure 2). The bot, which was seen in attacks dating back to 2006, was written using Portuguese for variable names and some literal strings like error messages. It contains a port scanner, simple command shell, and flooder (DDoS) subroutines, and it uses IRC for C2.
Figure 1. Code deployed to compromise vulnerable systems.
Figure 2. Perl code from the bot used to obtain email software and deploy phishing emails.
It's also interesting that the report mentions the botnet contains VoiP systems compromised via Shellshock, which isn't surprising considering they likely weren't at the top of the list of systems to patch for most organizations. That being said, the phone systems used in vishing and SMiShing attacks are often compromised VoiP servers.
More information on Shellshock and vishing:
- Bash “Shellshock” Bug Rivals Heartbleed in Cyber Threat Severity
- Mitigating the Impact of Shellshock on Financial Institutions
- Vishing campaign steals card data from customers of dozens of banks